Tuesday, December 21, 2010

New URL Shortener Hijacks Browsers for DDoS

In order to outline the dangers of implicitly trusting shortened URLs, a student has launched a service which generates links that take users to their destination, but also hijack their browsers for DDoS.

Called d0z.me, the service is the creation of Ben Schmidt (@supernothing307), a computer science major at University of Tulsa, who describes himself as a security enthusiast.

The URL shortener was inspired by the recent distributed denial of service (DDoS) attacks launched by Anonymous and in particular the Web version of the group's Low Orbit Ion Canon (LOIC) tool.

This recently created JavaScript-based LOIC allows people to voluntarily join a DDoS effort by visiting a Web page instead of installing an application on their computers.

The tool works by modifying an image tag's src attribute in order to force the browser to continuously send HTTP requests to the targeted server.

[...]

D0z.me was released as a proof-of-concept and works by loading the destination page in an transparent iframe. The source code is freely available under GPL.

To use the service, attackers must specify the destination link and the URL to be targeted. The title of the page can also be configured. The resulting short URL can then be spread on social media websites in order to attract as many visitors as possible.

People who click on the link will have no indication that something is wrong, except for the url in the address bar, which doesn't change from d0z.me.

Meanwhile, in the background, their computer will send hundreds of requests per minute to the target URL. The more time spent on the legit destination page, the more effective the attack is.

"My implementation of this attack is, at best, a hack job, but was merely meant to illustrate how easy it is to actually implement, how simple it is to launch a DDoS simply by getting people to follow a link, and how seriously our reliance on URL shorteners can affect security," Schmidt concludes.